Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15-02-2024 21:56
Static task
static1
Behavioral task
behavioral1
Sample
9eaae8e37d67a66203912ee78be8c3bd.exe
Resource
win7-20231215-en
General
-
Target
9eaae8e37d67a66203912ee78be8c3bd.exe
-
Size
617KB
-
MD5
9eaae8e37d67a66203912ee78be8c3bd
-
SHA1
dd0975d6b7a28cf0730495d6873e220d4064081e
-
SHA256
5acfa6fa8892b4a6fd659c5e05cd5c80a1e51c4b80c11e9fa0ba477f2e6137d9
-
SHA512
7342dbe3474338c6ad8b6b188825e89c0ecafe29d4333d77d796ea1c77c79ac94a30abbba539a8a98943498bc142b24f51dead25e5271b7c0e138f335388c870
-
SSDEEP
12288:V5VqlAqsvyBT04oKO1ua1Ua/KQOK5+NfYdQNUfs4jEwd7JBujxId+2LU:V5vvU6VqK8Qd1sOBdjujxxs
Malware Config
Extracted
vidar
8
237
http://hospitaleco.com/
-
profile_id
237
Signatures
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2404-2-0x0000000000400000-0x000000000068B000-memory.dmp family_vidar behavioral1/memory/2404-56-0x0000000000400000-0x000000000068B000-memory.dmp family_vidar behavioral1/memory/2404-84-0x0000000000400000-0x000000000068B000-memory.dmp family_vidar -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1136 cmd.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9eaae8e37d67a66203912ee78be8c3bd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9eaae8e37d67a66203912ee78be8c3bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9eaae8e37d67a66203912ee78be8c3bd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1472 taskkill.exe -
Processes:
9eaae8e37d67a66203912ee78be8c3bd.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 9eaae8e37d67a66203912ee78be8c3bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 9eaae8e37d67a66203912ee78be8c3bd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 9eaae8e37d67a66203912ee78be8c3bd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9eaae8e37d67a66203912ee78be8c3bd.exepid process 2404 9eaae8e37d67a66203912ee78be8c3bd.exe 2404 9eaae8e37d67a66203912ee78be8c3bd.exe 2404 9eaae8e37d67a66203912ee78be8c3bd.exe 2404 9eaae8e37d67a66203912ee78be8c3bd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1472 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9eaae8e37d67a66203912ee78be8c3bd.execmd.exedescription pid process target process PID 2404 wrote to memory of 1136 2404 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 2404 wrote to memory of 1136 2404 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 2404 wrote to memory of 1136 2404 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 2404 wrote to memory of 1136 2404 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 1136 wrote to memory of 1472 1136 cmd.exe taskkill.exe PID 1136 wrote to memory of 1472 1136 cmd.exe taskkill.exe PID 1136 wrote to memory of 1472 1136 cmd.exe taskkill.exe PID 1136 wrote to memory of 1472 1136 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe"C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe"1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9eaae8e37d67a66203912ee78be8c3bd.exe /f & erase C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9eaae8e37d67a66203912ee78be8c3bd.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nss3.dllFilesize
5KB
MD57da374e3b5cee2c3ca41229c8d8af094
SHA1bd115852e581d2686108979a65550014b17bbd6e
SHA256d0cbf163d2c35044519398c143ef51fc0fe96a7ca5da16eb6e00db5a169e3dce
SHA51208e3b4a09834d1f8de7eaed0839d87a38fb6a9d4d2a3150af71cd46a8e566fc1d3887725295a36b275a6b1e99336f5e060212e9ab05fe3ee0b1ddb55c7468061
-
C:\Users\Admin\AppData\Local\Temp\Cab5DBC.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar5DED.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
memory/2404-1-0x0000000001F70000-0x0000000002070000-memory.dmpFilesize
1024KB
-
memory/2404-2-0x0000000000400000-0x000000000068B000-memory.dmpFilesize
2.5MB
-
memory/2404-56-0x0000000000400000-0x000000000068B000-memory.dmpFilesize
2.5MB
-
memory/2404-60-0x0000000001F70000-0x0000000002070000-memory.dmpFilesize
1024KB
-
memory/2404-84-0x0000000000400000-0x000000000068B000-memory.dmpFilesize
2.5MB
-
memory/2404-85-0x0000000001F70000-0x0000000002070000-memory.dmpFilesize
1024KB